Chaos Computer Club unlocks iPhones with high resolution-image based tactic, points out legal dangers

For iPhone owners that use the fingerprint sensor as a password, be aware that it's pretty much useless from a security perspective. It turns out that as with past inexpensive fingerprint readers, the system could easily be tricked by showing it a photograph of the target's fingerprint.

The trick -- as a CCC member who goes by the handle "Starbug" states -- is to use at least 2,400 dots per inch (dpi) for the photograph of the target's fingerprint, and 1,200 dpi for the printed copy. Comments "Starbug", "In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake. As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."

The hack is demonstrated in a video posted by the CCC to YouTube:

The only "trick" outside the resolution is that you need to print onto a transparent sheet and after printing; you need to lift the fingerprint onto a polymer using "pink latex milk or white woodglue". The latex layer is then cured and lifted, and breathed upon to "make it a tiny bit moist and then placed onto the sensor to unlock the phone."

The iPhone 5S's sensor can easily be tricked with a "fake finger". [Image Source: Apple]

It's important to note that the only part of the process that involves the target user -- getting their fingerprint -- can be done quickly and surreptitiously. The remaining steps can be taken at their own pace at a secure location of the unlocker's choosing.

We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token. The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.

The group raises another interesting point regarding smartphone unlocking and legality. The group writes:

Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

If you get arrested, and have an iPhone with fingerprint unlock enabled, police can easily get ahold of your private data. [Image Source: BUSINESS, GOVERNMENT AND SOCIETY FIVE]

In other words, the supposed "crowning" feature on Apple's new smartphone may be worse than worthless -- it may be luring users into a false sense of security and compromising their data.

The site istouchidhackedyet.com says the CCC was the first group or individual to report a successful hack on the sensor. The site is in the process of confirming the CCC's hack. Once confirmed they'll receive the horde of goodies, including sweet, sweet cash.

You're assuming my OP had anything particularly to do with the fingerprint scanner. It didn't.

Also:

quote: This feature is rather innovative in my opinion.

No it isn't. Such things have been in use for a very long time, including on mobile devices like laptops. As is the rule with an Apple product, there's no innovation anywhere to be found. Just copying an idea someone else had.

I've always been pissed at Apple for not copying more. After all, there was Microsoft Bob. Bob could have been big.

Imagine how popular Bob would have been if Apple has pushed him to all its stupid customers.

But, sadly, true innovation is often lost on the consumer world, because people buy into the copycat fluff. Windows wasn't successful at all, even though it came out after the Lisa OS and the Mac OS. It's a true shame.

quote: I've always been pissed at Apple for not copying more. After all, there was Microsoft Bob. Bob could have been big. Imagine how popular Bob would have been if Apple has pushed him to all its stupid customers.

Fair enough. My liking to this is that the new commanders at Apple seem to be as smart as our esteemed late Steve Jobs was. They know how to give a product something that will leave all the owners of previous iPhone versions desperately wanting to upgrade. See, this tech business is not only about providing good hardware, its also about making people want it no matter what. Hence I see the argument that this is not perfectly secure. But the brilliance lies in selling it in the way that only Apple can sell it. Ever heard the story of the salesman who sold ice to an Eskimo? That's business for you.

You don't think that the engineers at Apple would already have argued exactly as we are arguing now about the merits? Those people know exactly what their product can and can not do. But then, no one has to know that right? (Except us of course). I prefer to call it natural selection, you never know how many iSheep will die of hunger after spending all they have on the newest iPhone. Darwinism at its finest.

The problem is that nothing is full proof and the curve of security strength graphed against user convenience is logarithmic, adding security past a certain point also adds hugely inconvenience.

What is required is to increase security and increase ease of use. That's difficult but Apple has done it with Touch ID combined with the new Phone Activation Lock feature.

The aim of Touch ID was twofold.

a) To improve security.

Combined with the new password protected Activation Lock it does that.

b) While increasing security actually make it less intrusive and easier for the user.

Touch ID seems to do that because a recurring meme in all the reviews of the 5s is how using Touch ID to unlock the phone is so much simpler and easier than entering a passcode every time that most reviews found themselves trying to use it when they returned to using their old nonTouch ID devices.

In two years time all Apple devices (maybe their laptops as well) will feature Touch ID and everybody will think that typing in access pass codes and pins is archaic and old fashioned, except of course for those unfortunate people stuck using devices without Touch ID.

As is always the case with Apple security 'scares' in the real world the exploitation of this method of cracking Touch ID will be vanishingly small.

So Tony here is your post about the total secure and reliable Fingerprint-Scanner:

quote: In the Authentec/Apple patent a fingertip is imaged via a different technique: Radiofrequency scanning. Skin and flesh, thanks to the cocktail of chemicals they contain, have their own electrical signature--meaning a human body can in fact block a radio signal of the right frequency, while other frequencies sail right through us more or less unaffected. The sensor in the new patent makes use of this fact by sending out very precise radio signals over a very short range and detecting the signals that have been affected by the bumps and gaps in a human fingertip. Basically the tiny ridges of flesh in a fingerprint affect the electrical signals coming from the sensor array in a measurable way, allowing the device to calculate the position and alignment of all the whorls and loops.

The advantage of this system is that you couldn't fool it with an image of a fingerprint or a latex cast of a fingerprint because the RF signals from the sensor have to interact with a material that has a flesh-like radio response in order to register the print. It's suggested that the sensor can also detect live tissue beyond the simple skin of a fingerprint, which removes the one scary scenario whereby a determined thief would "steal" the finger in question.

Offering total security via reliable fingerprint technology built right in is a big deal for corporate and government IT. I expect this will make the iPhone 5S the default phone for corporate customers.

And again you posted total BS, congrats.I wonder how you´re gonna twist this again.

Thank you... I was going to go dig that up for Tony LOL. I specifically was going for thios post.

by Tony Swash: "The advantage of this system is that you couldn't fool it with an image of a fingerprint or a latex cast of a fingerprint because the RF signals from the sensor have to interact with a material that has a flesh-like radio response in order to register the print."

quote: What is required is to increase security and increase ease of use. That's difficult but Apple has done it with Touch ID combined with the new Phone Activation Lock feature.

Wait. You just essentially admitted that improving security without compromising convenience is impossible, yet you claim how Apple accomplished that with Touch ID.

quote: how using Touch ID to unlock the phone is so much simpler and easier than entering a passcode every time

What passcode?

All I need to do to unlock my iPhone 4S is slide-to-unlock. I don't need a 4-digit passcode that I'm more than likely to forget in a few weeks. Use a finger to unlock and authorize purchases? Seriously?

You're advocating using the least secure authentication method (short of storing passwords in plaintext) to unlock your latest and greatest smartphone. That's worse than having no locking security mechanism in the first place.

All a criminal needs to do is stalk you for about an hour as to collect all the fingerprints you leave behind. Put a gun at your forehead and threaten to pull the trigger if you don't swipe your about-to-be-stolen iPhone 5S with your fingers. Being the deluded Apple sheep you are, you'll do what he demands. Then he pulls the trigger anyways because he's got what he wants. He won't care that you're dead, because he's got the vital access code he needs to do things under your credentials.

It's a lot more likely than you'd think.

Oh and by the way, the average response time of police coming to investigate a crime is about 10-15 minutes, and the police do not have an obligation to protect you. What are you going to trust more? Apple's Touch ID, or a concealed carry?

If a criminal waits for you for ONE HOUR prior to stealing your phone .... they deserve your phone. I've never heard of a thief in first world country that will go to that kinda of length.It's not really a revenue generating model looking strictly at the volume basis.

Do you honestly think 4-PIN passcode is more secure than TouchID? With passcode, all you need is a software to wipe your phone. With TouchID, you still need to lift fingerprints, and all the hassle. A common thief would not go through those lengths.

It's a whole lot more secure than no passcode or with passcode.

Your argument about killing people or chopping their thumb? If they are willing to kill or chomp off your thumb .... no technology will save you. Because they'll just ask you to give them the phone/password/etc ... or they will kill you.

They won't care if you're dead.

What's concealed carry got to do with TouchID? Are you Zimmerman's friend or something?

quote: I've never heard of a thief in first world country that will go to that kinda of length.

What's an hour when the potential value of the data you can pilfer from it is immeasurable? You're not thinking hard enough.

quote: Do you honestly think 4-PIN passcode is more secure than TouchID?

You can change a weak 4-number PIN at will. You can't do that with any of your bodily features.

quote: It's a whole lot more secure than no passcode or with passcode.

No, it isn't.

Authentication by fingerprint does the following:- regular passwords are ambiguous; they seldom directly identify the person using it. However, a fingerprint can identify the person. This is BAD.- regular passwords can be changed at will. Fingerprints cannot without super-expensive plastic surgery (which is out of reach even for 99% of the top one percent). This is BAD.- you have to put the victim within an inch of their lives to make them cough up a password. Fingerprints? You leave your marks on everything you touch. Your enemies don't need to coerce you to give up your prints, either. This is BAD.